Staff

Technical Tip: How to interpret the DNS answer from DNS over TLS (DoT)

Forum|Forum|1 year ago
March 27, 2025
0 replies
305 views

Description

This article describes how to interpret the DNS answer from the encrypted DNS communication used over the TLS (DoT).

Scope

FortiGate.

Solution

To check what was the DNS answer for queries using cleartext (port 53) it is enough just using the sniffer.

For the encrypted communications when DoT is enable, it is not possible to have it from the sniffer command, but from the debug command.

The debug commands are:

diagnose debug reset       <--- to reset any triggered debug before diagnose debug console timestamp enable      <--- allow the Timestamp diagnose debug application dnsproxy -1 diagnose debug enable

Looking for the lines:

... dns_cache_response()-270: Response is error (3) will not cache    <--- NXDOMAIN ... dns_cache_response()-289: Response contains no answer. Will not cache  <---  NOERROR (Empty answer) ... dns_cache_response()-310: Min ttl = XX   <--- NOERROR (normal answer with the respective record) ...

These codes (270, 289, and 310) are the same for both communications, cleartext and encrypted.

Description

Scope

Solution

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded